I'm hearing some pushback on CERT-FI's XML parser vulnerability story. According to Xerces committer Michael Glassevich, "The specific problem reported to Apache only applied to Apache Xerces C++. Xerces-J does not have the bug that was fixed in the C++ impl." This directly contradicts the original CERT-FI report. Possibly the claimed Xerces-J bug is a separate one that was fixed in CVS couple of months ago, but not yet released. This is exactly why we should insist on full and immediate disclosure of vulnerability information. Otherwise, there's no way to tell whether the problem is real, and just how bad it is.